Collaborative detection and filtering of DDoS attacks in ISP core networks
收藏Mendeley Data2024-01-31 更新2024-06-29 收录
下载链接:
https://digitallibrary.usc.edu/asset-management/2A3BF1MW5A32
下载链接
链接失效反馈官方服务:
资源简介:
Unrestricted Distributed denial of services (DDoS) attacks pose a major threat to the Internet. Although one promising solution should be a real distributed scheme covering a wide area, most reported solutions conform to the end-to-end paradigm and target end-node victims. Because these solutions could not detect anomalies incurring inside the intermediate network, they could not detect the DDoS attacks at an early stage.; This dissertation explores the defense against DDoS attacks from an ISP perspective. A distributed scheme over multiple ISP domains is proposed, which relies on ISP network routers monitoring traffic fluctuations and information sharing with peers. To resolve the security policy conflicts, a new secure infrastructure protocol (SIP) is developed to establish trust between ISPs. SIP provides a secure platform supporting collaborative detection and responses to DDoS attacks. Distributed schemes are proposed to fight against both the brute force flooding DDoS attacks and the stealthy low-rate TCP-targeted DDoS attacks.; Having observed the directionality and aggregation characteristics in the spatiotemporal pattern of the flooding flows, a distributed change-point (DCP) detection architecture was developed using change aggregation trees (CAT). The DCP scheme detects traffic variances across network domains and all CAT servers exchange alert information to make global detection decisions. After early detection, MAlicious Flow Identification and Cutoff (MAFIC) issues lightweight probes to flow sources to segregate malicious flows with minimized bilateral damage.; A novel spectral template-matching approach is proposed to counter shrew DDoS attacks. Combining digital signal processing techniques and hypothesis testing, collaborative detection and filtering (CDF) detects and cuts off shrew attack flows embedded in legitimate TCP/UDP streams by spectral analysis.; The performance of the distributed schemes is evaluated through intensive experiments on DETER testbeds and NS-2 simulators. Experiment results show a significant improvement was achieved by detecting anomalies crossing multiple ISP networks cooperatively. Information sharing among neighbor routers and SIP servers effectively increased detection rates while decreasing the number of false alarms. The experiments verified the effectiveness of DCP and CDF schemes and achieved encouraging results.
无限制分布式拒绝服务攻击(Distributed Denial of Service,DDoS)对互联网构成重大威胁。尽管具备广域覆盖能力的分布式架构是颇具前景的解决方案,但现有多数公开方案均遵循端到端范式,且仅针对终端节点受害者展开防御。由于此类方案无法检测中间网络内部产生的异常流量,因此无法对DDoS攻击实现早期预警。本论文从互联网服务提供商(Internet Service Provider,ISP)的视角出发,研究DDoS攻击的防御机制。本文提出一种跨多个ISP域的分布式防御架构,该架构依托ISP网络路由器对流量波动进行监测,并与对等节点共享相关信息。为解决安全策略冲突问题,本文设计了一种全新的安全基础设施协议(Secure Infrastructure Protocol,SIP),用于在不同ISP之间建立信任机制。SIP可为协同检测与响应DDoS攻击提供安全可靠的支撑平台。本文还提出了多种分布式防御方案,可同时应对暴力泛洪型DDoS攻击与隐蔽性低速率TCP定向DDoS攻击。研究团队通过分析泛洪流量的时空分布特征,发现其具备方向性与聚合性,据此设计了基于变化聚合树(Change Aggregation Tree,CAT)的分布式变点检测架构(Distributed Change-Point,DCP)。DCP架构可跨网络域检测流量异常波动,所有CAT服务器通过共享告警信息,实现全局检测决策。在完成早期检测后,恶意流量识别与阻断系统(Malicious Flow Identification and Cutoff,MAFIC)会向流量源发起轻量级探测,以在最小化双向损害的前提下隔离恶意流量。本文提出一种全新的频谱模板匹配方法,用于对抗诡雷DDoS攻击(Shrew DDoS Attacks)。该方法结合数字信号处理技术与假设检验理论,通过频谱分析实现协同检测与过滤(Collaborative Detection and Filtering,CDF),可从合法TCP/UDP数据流中识别并阻断嵌入其中的诡雷攻击流量。本文通过在DETER测试床与NS-2模拟器上开展大量实验,对所提分布式防御方案的性能进行了评估。实验结果表明,通过跨多个ISP网络协同检测异常流量,可显著提升防御效果。相邻路由器与SIP服务器之间的信息共享,可有效提升检测率并降低误报率。实验验证了DCP与CDF方案的有效性,并取得了令人满意的实验结果。
创建时间:
2024-01-31



